pfSense® software treats interfaces differently based on whether or not they actas a WAN type interface (e.g. connection to an upstream network) or a LAN typeinterface (e.g. connection to an internal network). Most traditional interfaceswill fall into one of the two categories, with VPN interfaces being more of agray area.
Note
The NAT portions of this document only refer to IPv4 behavior, not IPv6.
Choosing between WAN and LAN Types¶
The IPv4 Upstream Gateway and IPv6 Upstream Gateway options on theinterface configuration control whether the firewallconsiders an assigned interface as a WAN or LAN type interface.
If an interface has a gateway selected the firewall treats it as a WAN typeinterface. If an interface does not have a gateway selected the firewalltreats as a LAN type interface.
There is no way to change the default behavior of dynamic interface types suchas DHCP, PPP, and most assigned VPN interfaces. The GUI hides the gatewayoptions on the interface configuration for these types of interfaces. Thebehavior of these interfaces is noted in the remainder of this document whererelevant.
No matter how the firewall treats an interface by default the firewall behaviorcan almost always be adjusted through the use of options in the GUI.
WAN Type Interface¶
A WAN type interface is an interface through which the Internet can be reached,directly or indirectly. The firewall treats any interface with a gatewayselected on its interface configuration as a WAN typeinterface. Dynamic IP address interfaces such as DHCP and PPP receive a dynamicgateway automatically and the firewall always considers them WAN interfaces.
For example, a static IP address WAN (e.g. Interfaces > WAN) would typicallyhave a gateway selected such as WAN_GW. If this gateway selection is notpresent the firewall will treat the interface as a LAN type interface instead.
The firewall behavior changes in several ways for WAN type interfaces:
The firewall performs outbound NAT on traffic exiting a WAN type interfacewhen using Automatic or Hybrid outbound NAT modes.
The firewall will not perform outbound NAT for traffic originatingfrom the subnet(s) directly attached to a WAN type interface when usingAutomatic or Hybrid outbound NAT modes.
The firewall includes a WAN type interface in the count of WAN interfaces forMulti-WAN features. Some functions are hidden unless the firewall has morethan one WAN type interface.
The firewall adds
reply-toto firewall rules on a WAN type interface whichreturns packets for connections coming in through that WAN back out via thesame WAN where possible.Note
This behavior can be overridden on a per-rule basis using the option onfirewall rules or it can be disabled globally on System > Advanced,Firewall & NAT tab.
The firewall adds
route-toto automatic firewall rules for outboundtraffic on a WAN type interface which ensures outbound traffic on theinterface is sent to the configured gateway.The traffic shaper wizard treats a WAN type interface as a WAN.
The DNS Resolver will not allow queries from the subnet(s) on a WAN typeinterface without a manual ACL entry.
LAN Type Interface¶
A LAN type interface is an interface which connects to a local network, forexample a LAN, DMZ, management network, guest network, and so on. Typically thisalso includes site-to-site links used to reach other local or internal networks,such as VPNs and private or dedicated circuits.
The firewall treats any assigned interface without a gateway selected on itsinterface configuration as a LAN type interface.
Warning
Do not select a gateway on the Interfaces menu entry for local interfacessuch as LAN or for site-to-site VPNs.
Local and other interfaces may have a gateway defined under System >Routing so long as that gateway is not selected on its interfaceconfiguration.
The firewall behavior changes in several ways for LAN type interfaces:
The firewall will perform outbound NAT for traffic originating from thesubnet(s) directly attached to a LAN type interface when that traffic exitsa WAN type interface and Automatic or Hybrid outbound NAT mode is active.
If NAT reflection is active the firewall will create NAT reflection ruleswhich allow clients on LAN type interfaces to access port forwards from behindthe firewall.
Note
This behavior can be changed on a per-rule basis using the option on NATrules or it can be controlled globally on System > Advanced, Firewall& NAT tab.
The firewall will not perform outbound NAT on traffic exiting a LANtype interface when using Automatic or Hybrid outbound NAT mode.
The firewall does not add
reply-toorroute-toto firewall ruleson a LAN type interface.The traffic shaper wizard treats a LAN type interface as a LAN.
The DNS Resolver automatically allows queries from the subnet(s) on a LANtype interface.
VPN Interfaces¶
Assigned IPsec VTI and OpenVPN interfaces are treated differently thantraditional interfaces. Most, but not all, of these points also apply toassigned GRE and GIF tunnel interfaces.
VPNs have numerous use cases which are similar to both LAN and WAN typeinterfaces, and in some cases both. For example a VPN could be for site-to-sitelinks, remote access for mobile clients, or for connecting to the Internetthrough a VPN provider. The default behavior of the firewall attempts to balancethe most common user needs and expectations when handling assigned VPNinterfaces.
Note
Currently WireGuard interfaces act similar to traditional interfaces whenassigned, so their behavior primarily depends upon whether or not a gatewayis selected in their interface configuration.
The firewall treats an assigned VPN interface as a LAN type interface for NAT,which means that it lists the subnets on these interfaces as traffic sourcesfor outbound NAT and it does not perform outbound NAT on traffic exiting theseinterfaces.
In most cases a user does not expect the firewall to perform NAT on VPNtraffic by default. Outbound NAT rules in Hybrid or Manual outbound NATmodes can make the firewall perform outbound NAT if a use case requires NAT.
The firewall treats an assigned VPN interface as a WAN type interface fortraffic shaping if a VPN interface is capable of using ALTQ traffic shaping.
The firewall treats an assigned VPN interface as a WAN interface for firewallrule attributes such as
reply-toandroute-to. This ensures thattraffic entering the firewall over a specific VPN connection returns backthrough the same VPN.The DNS Resolver treats an assigned VPN interface as a LAN interface andallows queries from subnet(s) configured on the VPN.
Note
Firewall features such as per-interface rules, NAT, and reply-to do notwork with IPsec VTI interfaces by default. The IPsec Filter Mode settingcan allow IPsec VTI interfaces to utilize these features. SeeAdvanced IPsec Settings.
Verifying an Interface Type¶
There are a couple ways to confirm if the firewall is treating an interface as aWAN or a LAN.
The interface status page (Status > Interfaces) is useful for determiningthe interface type. For non-VPN interfaces the presence of the Gateway IPv4and/or Gateway IPv6 attribute on an interface indicates that the firewallconsiders it as a WAN type interface.
The next easiest method is to check the outbound NAT settings at Firewall >NAT, Outbound tab. Check the Automatic Rules section if the mode isset to Automatic or Hybrid. WAN type interfaces will have rules in the listwith their name in the Interface column. LAN type interfaces have theirsubnets listed in the Source column of each rule.
Note
If the outbound NAT mode is Automatic or Hybrid and there are noentries in the Automatic Rules list, that generally indicates that thefirewall has either no WAN type interfaces or no LAN type interfaces. Checkthe gateway settings on each assigned interface and ensure that all WANinterfaces have a gateway selected and that no LAN interfaces have agateway selected.
Another method is to start a traffic shaper wizard (Firewall > TrafficShaper, Wizards tab) and step through until the wizard lists theinterfaces. From there, check if an interface is present in either the LAN orWAN interface selection lists.
Note
This method will not work for interface types which do not support ALTQtraffic shaping.
